8

我正在尝试从 Common Lisp 中以 PKCS#12 加密的客户端证书中提取信息。

我尝试了以下步骤:

  1. 将给定的 p12 文件加载到BIOwithd2i_PKCS12_bio
  2. 验证密码PKCS12_verify_mac
  3. 解析文件PKCS12_parse

这是实际的 CFFI 代码:

(defun load-pkcs12 (file &optional passphrase)
  (openssl-add-all-digests)
  (pkcs12-pbe-add)
  ;; 1. Load the given p12 file
  (let ((content (slurp-file file)))
    (cffi:with-pointer-to-vector-data (data-sap content)
      (let* ((bio (bio-new-mem-buf data-sap (length content)))
             (p12 (d2i-pkcs12-bio bio (cffi:null-pointer)))
             (pkey (evp-pkey-new))
             (cert (x509-new)))
        (unwind-protect
             (progn
               ;; 2. Verify the passphrase
               (let ((res (pkcs12-verify-mac p12 (or passphrase (cffi:null-pointer)) (length passphrase))))
                 (when (zerop res)
                   (error (format nil "Error while verifying mac~%~A" (get-errors)))))

               ;; 3. Parse the file
               (cffi:with-foreign-objects ((*pkey :pointer)
                                           (*cert :pointer))
                 (setf (cffi:mem-ref *pkey :pointer) pkey
                       (cffi:mem-ref *cert :pointer) cert)
                 (let ((res
                         (pkcs12-parse p12
                                       (or passphrase (cffi:null-pointer))
                                       *pkey
                                       *cert
                                       (cffi:null-pointer))))
                   (when (zerop res)
                     (error "Error in pkcs12-parse~%~A" (get-errors)))))
               (pkcs12-free p12)

               ;; 4. Show the result
               (let ((bio (cl+ssl::bio-new (bio-s-mem))))
                 (unwind-protect
                      (progn
                        (x509-print-ex bio cert 0 0)
                        (bio-to-string bio))
                   (bio-free bio))))
          (evp-pkey-free pkey)
          (x509-free cert))))))

但是,结果X509_print_ex总是没有意义的:

Certificate:
Data:
    Version: 1 (0x0)
    Serial Number: 0 (0x0)
    Signature Algorithm: itu-t
    Issuer: 
    Validity
        Not Before: Bad time value

当我用命令尝试它时看起来很好openssl,所以我假设 p12 文件没问题:

$ openssl pkcs12 -in sslcert.p12 -clcerts -nokeys
Enter Import Password: <input passphrase>
MAC verified OK
Bag Attributes
    localKeyID: 31 0E 0D 31 05 8D 20 13 BA B3 81 85 57 AD 28 52 9F D0 19 BE
subject=/C=JP/ST=Tokyo/L=Minato/O=<company>/OU=Development/CN=<user>/emailAddress=admin@example.co.jp
issuer=/C=JP/ST=Tokyo/O=<company>/OU=Development/CN=SuperUser Intermediate CA/emailAddress=admin@example.co.jp
-----BEGIN CERTIFICATE-----
...PEM-encoded certificate...
-----END CERTIFICATE-----

mime 的完整片段在 gist 上。主要功能是load-pkcs12, 在文件的底部。

(load-pkcs12 #P"/path/to/sslcert.p12" "password")

有人可以帮忙吗?

我提到的

4

0 回答 0